<!DOCTYPE html>
<html>

<head>
  
  <title>bugku江湖魔头 - 文乐的爸爸</title>
  <meta charset="UTF-8">
  <meta name="description" content="">
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  
  

  <link rel="shortcut icon" href="/images/avatar.png" type="image/png" />
  <meta name="description" content="bugku江湖魔头">
<meta property="og:type" content="article">
<meta property="og:title" content="bugku江湖魔头">
<meta property="og:url" content="https:&#x2F;&#x2F;ctfer-stao.github.io&#x2F;posts&#x2F;5118b0b8.html">
<meta property="og:site_name" content="文乐的爸爸">
<meta property="og:description" content="bugku江湖魔头">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822162058786.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822162313765.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822162404322.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822164154890.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822182107975.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;2019082218215275.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822182232364.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822180438332.png">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822181437104.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822181502677.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="og:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822181842342.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
<meta property="article:published_time" content="2019-12-12T11:24:50.971Z">
<meta property="article:modified_time" content="2019-12-12T11:29:42.805Z">
<meta property="article:author" content="Stao">
<meta property="article:tag" content="web">
<meta property="article:tag" content="js">
<meta property="article:tag" content="base64">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https:&#x2F;&#x2F;img-blog.csdnimg.cn&#x2F;20190822162058786.png?x-oss-process&#x3D;image&#x2F;watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng&#x3D;&#x3D;,size_16,color_FFFFFF,t_70">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/mdui@0.4.3/dist/css/mdui.min.css">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@9.15.8/styles/atom-one-dark.css">
   
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/fancyapps/fancybox@3.5.7/dist/jquery.fancybox.min.css" />
  
  
  <link rel="stylesheet" href="//at.alicdn.com/t/font_1038733_0xvrvpg9c0r.css">
  <link rel="stylesheet" href="/css/style.css?v=1576763231170">
<meta name="generator" content="Hexo 4.1.1"></head>

<body class="mdui-drawer-body-left">
  
  <div id="nexmoe-background">
    <div class="nexmoe-bg" style="background-image: url(https://i.loli.net/2019/01/13/5c3aec85a4343.jpg)"></div>
    <div class="mdui-appbar mdui-shadow-0">
      <div class="mdui-toolbar">
        <a mdui-drawer="{target: '#drawer', swipe: true}" title="menu" class="mdui-btn mdui-btn-icon"><i class="mdui-icon material-icons">menu</i></a>
        <div class="mdui-toolbar-spacer"></div>
        <!--<a href="javascript:;" class="mdui-btn mdui-btn-icon"><i class="mdui-icon material-icons">search</i></a>-->
        <a href="/" title="Stao" class="mdui-btn mdui-btn-icon"><img src="/images/avatar.png"></a>
       </div>
    </div>
  </div>
  <div id="nexmoe-header">
      <div class="nexmoe-drawer mdui-drawer" id="drawer">
    <div class="nexmoe-avatar mdui-ripple">
        <a href="/" title="Stao">
            <img src="/images/avatar.png" alt="Stao">
        </a>
    </div>
    <div class="nexmoe-count">
        <div><span>文章</span>2</div>
        <div><span>标签</span>6</div>
        <div><span>分类</span>1</div>
    </div>
    <ul class="nexmoe-list mdui-list" mdui-collapse="{accordion: true}">
        
        <a class="nexmoe-list-item mdui-list-item mdui-ripple" href="/" title="回到首页">
            <i class="mdui-list-item-icon nexmoefont icon-home"></i>
            <div class="mdui-list-item-content">
                回到首页
            </div>
        </a>
        
        <a class="nexmoe-list-item mdui-list-item mdui-ripple" href="/about.html" title="关于博客">
            <i class="mdui-list-item-icon nexmoefont icon-info-circle"></i>
            <div class="mdui-list-item-content">
                关于博客
            </div>
        </a>
        
        <a class="nexmoe-list-item mdui-list-item mdui-ripple" href="/PY.html" title="我的朋友">
            <i class="mdui-list-item-icon nexmoefont icon-unorderedlist"></i>
            <div class="mdui-list-item-content">
                我的朋友
            </div>
        </a>
        
    </ul>
    <aside id="nexmoe-sidebar">
  
  <div class="nexmoe-widget-wrap">
    <h3 class="nexmoe-widget-title">社交按钮</h3>
    <div class="nexmoe-widget nexmoe-social">
        <a class="mdui-ripple" href="https://github.com/ctfer-Stao" target="_blank" mdui-tooltip="{content: 'GitHub'}" style="color: rgb(25, 23, 23);background-color: rgba(25, 23, 23, .15);">
            <i class="nexmoefont icon-github"></i>
        </a>
    </div>
</div>
  
  
  <div class="nexmoe-widget-wrap">
    <h3 class="nexmoe-widget-title">文章分类</h3>
    <div class="nexmoe-widget">

      <ul class="category-list">

        


        

        

        <li class="category-list-item">
          <a class="category-list-link" href="/categories/CTF/">CTF</a>
          <span class="category-list-count">2</span>
        </li>

        
      </ul>

    </div>
  </div>


  
  
  <div class="nexmoe-widget-wrap">
    <h3 class="nexmoe-widget-title">标签云</h3>
    <div id="randomtagcloud" class="nexmoe-widget tagcloud">
      <a href="/tags/base64/" style="font-size: 10px;">base64</a> <a href="/tags/js/" style="font-size: 10px;">js</a> <a href="/tags/php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/" style="font-size: 10px;">php反序列化</a> <a href="/tags/readflag/" style="font-size: 10px;">readflag</a> <a href="/tags/web/" style="font-size: 20px;">web</a> <a href="/tags/xxe/" style="font-size: 10px;">xxe</a>
    </div>
    
  </div>

  
</aside>
    <div class="nexmoe-copyright">
        &copy; 2019 Stao
        Powered by <a href="http://hexo.io/" target="_blank">Hexo</a>
        & <a href="https://nexmoe.com/hexo-theme-nexmoe.html" target="_blank">Nexmoe</a>
    </div>
</div><!-- .nexmoe-drawer -->
  </div>
  <div id="nexmoe-content">
    <div class="nexmoe-primary">
        <div class="nexmoe-post">
    <div class="nexmoe-post-cover"> 
        
        <img src="https://img-blog.csdnimg.cn/20190822162313765.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70">
        
        <h1>bugku江湖魔头</h1>
    </div>
  <div class="nexmoe-post-meta">
    <a><i class="nexmoefont icon-calendar-fill"></i>2019年12月12日</a>
    <a><i class="nexmoefont icon-areachart"></i>1.9k 字</a>
    <a><i class="nexmoefont icon-time-circle-fill"></i>大概 8 分钟</a>
    
      <a class="nexmoefont icon-appstore-fill -link" href="/categories/CTF/">CTF</a>
    
    
      <a class="nexmoefont icon-tag-fill -link" href="/tags/base64/" rel="tag">base64</a> <a class="nexmoefont icon-tag-fill -link" href="/tags/js/" rel="tag">js</a> <a class="nexmoefont icon-tag-fill -link" href="/tags/web/" rel="tag">web</a>
    
  </div>
  <article>
    <p>bugku江湖魔头</p>
<a id="more"></a>

<p>最近开始接触web安全，顺便在bugku找了点题做，所以遇到了一道这么有趣的题目：<strong>江湖魔头</strong>。<br>刚开始我很天真，以为直接用brupsuit抓请求包和响应包，然后修改响应包内<strong>html</strong>的数据，将金钱还有属性改成很多很多。结果现实很打脸，网页中属性的数据确实是改过来了，但是要购买的时候发现还是显示金钱不足。<img src="https://img-blog.csdnimg.cn/20190822162058786.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="brupsuit"><br><img src="https://img-blog.csdnimg.cn/20190822162313765.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190822162404322.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br> **</p>
<h2 id="在网上寻找解题办法："><a href="#在网上寻找解题办法：" class="headerlink" title="在网上寻找解题办法："></a>在网上寻找解题办法：</h2><p>**</p>
<p>做为刚接触web安全的小白，这个时候我也不知道该怎么办了，所以只能在网上寻找答案，很幸运的<br>看到了大佬的文章，也因此拿到了flag；<a href="https://blog.csdn.net/qq_25899635/article/details/92759985" target="_blank" rel="noopener">这是大佬的文章链接</a>。这位大哥思路很好，我完全是按照他的思路来的。不过其中有一些细节大佬没有讲到，对像我这样的小白不够友好，所以我想着写这篇博客，希望能帮到像我一样有疑惑的同学，顺便记录下自己的学习。大佬可以绕道了。哈哈</p>
<h2 id="正式开始讲解"><a href="#正式开始讲解" class="headerlink" title="正式开始讲解"></a>正式开始讲解</h2><p>前面废话有点多，这里正式开始本题的讲解。<br>首先打开网页的源码，发现很简洁，感觉可用的信息很少，（有人是删除了wulin.php后的参数，但我感觉用处不大，可能我这种小白不太懂那种思路），但是仔细一看，有三个js文件，这些js文件就是我们的突破点了。<br>首先打开第一个文件：js/script.js。一看，我的天，这什么东西，看都看不懂。<img src="https://img-blog.csdnimg.cn/20190822164154890.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br>看来得格式化一下，当然，一开始我是直接格式化的，发现还是看不懂，这里得反压缩反混淆才行，<a href="https://tool.lu/js/" target="_blank" rel="noopener">https://tool.lu/js/</a> 我是在这个网站弄的，大家可以参考着用，或者直接百度，网上很多在线的工具，记得要找反压缩的。</p>
<h2 id="解压后的js文件"><a href="#解压后的js文件" class="headerlink" title="解压后的js文件"></a>解压后的js文件</h2><pre><code>unction getCookie(cname) {
    var name = cname + &quot;=&quot;;
    var ca = document.cookie.split(&apos;;&apos;);
    for (var i = 0; i &lt; ca.length; i++) {
        var c = ca[i].trim();
        if (c.indexOf(name) == 0) return c.substring(name.length, c.length)
    }
    return &quot;&quot;
}
function decode_create(temp) {
    var base = new Base64();
    var result = base.decode(temp);
    var result3 = &quot;&quot;;
    for (i = 0; i &lt; result.length; i++) {
        var num = result[i].charCodeAt();
        num = num ^ i;
        num = num - ((i % 10) + 2);
        result3 += String.fromCharCode(num)
    }
    return result3
}
function ertqwe() {
    var temp_name = &quot;user&quot;;
    var temp = getCookie(temp_name);
    temp = decodeURIComponent(temp);
    var mingwen = decode_create(temp);
    var ca = mingwen.split(&apos;;&apos;);
    var key = &quot;&quot;;
    for (i = 0; i &lt; ca.length; i++) {
        if (-1 &lt; ca[i].indexOf(&quot;flag&quot;)) {
            key = ca[i + 1].split(&quot;:&quot;)[2]
        }
    }
    key = key.replace(&apos;&quot;&apos;, &quot;&quot;).replace(&apos;&quot;&apos;, &quot;&quot;);
    document.write(&apos;&lt;img id=&quot;attack-1&quot; src=&quot;image/1-1.jpg&quot;&gt;&apos;);
    setTimeout(function() {
        document.getElementById(&quot;attack-1&quot;).src = &quot;image/1-2.jpg&quot;
    }, 1000);
    setTimeout(function() {
        document.getElementById(&quot;attack-1&quot;).src = &quot;image/1-3.jpg&quot;
    }, 2000);
    setTimeout(function() {
        document.getElementById(&quot;attack-1&quot;).src = &quot;image/1-4.jpg&quot;
    }, 3000);
    setTimeout(function() {
        document.getElementById(&quot;attack-1&quot;).src = &quot;image/6.png&quot;
    }, 4000);
    setTimeout(function() {
        alert(&quot;浣犱娇鐢ㄥ鏉ョ鎺屾墦璐ヤ簡钂欒€侀瓟锛屼絾涓嶇煡閬撴槸鐪熻韩杩樻槸鍋囪韩锛屾彁浜よ瘯涓€涓嬪惂!flag{&quot; + md5(key) + &quot;}&quot;)
    }, 5000)
}</code></pre><p>看起来容易了许多。大概看一下这个代码的意思，应该是首先获取cookie中user的值，然后进行多次的解码，其中包括url的解码，以及base64的解码（这里的这些编码我也不是很了解，需要补补课，不过大概能看懂就好），然后解码得到的数值应该就是我们网页上显示的那些属性的数据。另外两个js文件就是提供一些编码还有解码的函数，这里不再细讲。<br>讲到这里，相信我们也就有思路了，获取和解码cookie，然后修改money的数值，接着再将cookie编码，然后修改cookie，以达到修改金钱的目的。<br>下面我们按照这个思路一步步来。</p>
<h2 id="获取和解码cookie"><a href="#获取和解码cookie" class="headerlink" title="获取和解码cookie"></a>获取和解码cookie</h2><p>首先，我们按F12调出开发者选项，这里我用的是谷歌浏览器，不同浏览器可能会有不同，不过大同小异吧。<br>在console即控制台中输入：var test=getCookie(‘user’); 获取cookie的值，注意这里以及后面的许多函数，都是js文件里面的函数，可以拿出来用。得到cookie的值后，接着在控制台依次输入：test=decodeURIComponent(test) 和test=decode_create(test)。得到解码后的数值后，我们会惊奇的发现，我们看得懂这些值，一眼可以看到money的值为0；<br><img src="https://img-blog.csdnimg.cn/20190822182107975.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br>接着我们就理所当然的要修改money的数值为自己想要的数值啦。然后进行再编码。</p>
<h2 id="cookie修改后的再编码"><a href="#cookie修改后的再编码" class="headerlink" title="cookie修改后的再编码"></a>cookie修改后的再编码</h2><p>再编码其实就是解码的逆过程，按照js文件的解码顺序反过来。首先是应该是encode_create()，<br>当然，js文件里面没有这样的函数，所以我们要自己来写。按照decode_create()的模式来进行编码。</p>
<pre><code>function decode_create(temp) {
    var base = new Base64();
    var result = base.decode(temp);
    var result3 = &quot;&quot;;
    for (i = 0; i &lt; result.length; i++) {
        var num = result[i].charCodeAt();
        num = num ^ i;
        num = num - ((i % 10) + 2);
        result3 += String.fromCharCode(num)
    }
    return result3
}</code></pre><p>这个是解码的代码，我们按照这个代码反着来</p>
<pre><code>var result3 = &quot;&quot;;
    for (i = 0; i &lt; test.length; i++) {
        var num =test[i].charCodeAt();
        num = num + ((i % 10) + 2);
        num = num ^ i;
        result3 += String.fromCharCode(num)
    }</code></pre><p>这里注意顺序要反过来，解码是先异或，编码则是后面异或，而且-变成+。这里注意：a^b=c<br>c^b=a. 可以自己验证。<br>接着我们就应该base.encode(),但是这里有个坑，观察js/base64.js 文件的encode函数和decode函数，我们发现,decode函数注释了output = _utf8_decode(output); 但是encode 却有 input = _utf8_encode(input); 这里要是没注意到，直接用他的encode 函数，就会出错。所以这里我们自己写代码，将input = _utf8_encode(input)删掉 （这里我忘记删掉这一句了，幸好我没有用到input这个变量，而是用result3，所以相当于删掉了这一句代码）</p>
<pre><code>var base = new Base64();
var output = &quot;&quot;;
        var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
        var i = 0;
        input = _utf8_encode(result3);
        while (i &lt;result3.length) {
            chr1 = result3.charCodeAt(i++);
            chr2 =result3.charCodeAt(i++);
            chr3 = result3.charCodeAt(i++);
            enc1 = chr1 &gt;&gt; 2;
            enc2 = ((chr1 &amp; 3) &lt;&lt; 4) | (chr2 &gt;&gt; 4);
            enc3 = ((chr2 &amp; 15) &lt;&lt; 2) | (chr3 &gt;&gt; 6);
            enc4 = chr3 &amp; 63;
            if (isNaN(chr2)) {
                enc3 = enc4 = 64;
            } else if (isNaN(chr3)) {
                enc4 = 64;
            }
            output = output +
            _keyStr.charAt(enc1) + _keyStr.charAt(enc2) +
            _keyStr.charAt(enc3) + _keyStr.charAt(enc4);
    }</code></pre><p><img src="https://img-blog.csdnimg.cn/2019082218215275.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190822182232364.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"></p>
<p>最好我们再 用encodeURIComponent()函数就可以得到重新编码后的cookie啦<br><img src="https://img-blog.csdnimg.cn/20190822180438332.png" alt="在这里插入图片描述"></p>
<h2 id="修改cookie"><a href="#修改cookie" class="headerlink" title="修改cookie"></a>修改cookie</h2><p>有人通过documen.cookie=’’ 来修改cookie ,但是我修改后不知道怎么生效，所以这里我用brupsuit来修改。通过brupsuit抓请求包，然后修改cookie的值再发送请求。<br><img src="https://img-blog.csdnimg.cn/20190822181437104.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190822181502677.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190822181842342.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMyOTc5Ng==,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br>这里我是在点击商店后，才抓取请求包，然后修改cookie 才可以买东西还有。如果点属性的时候修改，然后点商店购买发现不行。</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>到这里为止，这个大魔君就被我们打败啦。这道题的思路不是我自己想出来的，是参考大佬的文章然后自己慢慢试出来的。(文中有链接)<br>我发现网上对这道题的解法的讲解不多，所以斗胆写个文章来记录下自己的解法，希望多新手有帮助，有疑惑的同学可以在下面留言一起探讨哦。因为是第一次写博客，而且也是刚接触安全这方面的知识，希望有什么不好的地方，大佬们可以提出来，小弟也可以慢慢改进。</p>

  </article>
  
    
<div class="nexmoe-post-copyright">
<i class="mdui-list-item-icon nexmoefont icon-info-circle"></i>
<strong>本文作者：</strong>Stao<br>
<strong>本文链接：</strong><a href="https://ctfer-stao.github.io/posts/5118b0b8.html" title="https:&#x2F;&#x2F;ctfer-stao.github.io&#x2F;posts&#x2F;5118b0b8.html" target="_blank" rel="noopener">https:&#x2F;&#x2F;ctfer-stao.github.io&#x2F;posts&#x2F;5118b0b8.html</a><br>

  <strong>版权声明：</strong>本文采用 <a href="https://creativecommons.org/licenses/by-nc-sa/3.0/cn/deed.zh" target="_blank">CC BY-NC-SA 3.0 CN</a> 协议进行许可

</div>


  
  <section class="nexmoe-comment">
    <div id="gitment"></div>
<link rel="stylesheet" href="https://imsun.github.io/gitment/style/default.css">
<script src="https://imsun.github.io/gitment/dist/gitment.browser.js"></script>
<script>
var gitment = new Gitment({
    owner: 'ctfer-Stao', // 你的 GitHub ID
    repo: 'ctfer-Stao.github.io', // 存储评论的 repo
    oauth: {
        client_id: '87bde7b021d7f2e999b9', // 你的 client ID
        client_secret: '3699080e4968cab7d9b54e8df4ea37a2d7bb7a4d' // 你的 client secret
    },
})
gitment.render('gitment')
</script>
</section>
</div>
    </div>
  </div>
  <script src="https://cdn.jsdelivr.net/npm/mdui@0.4.3/dist/js/mdui.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>
 
    <script src="https://cdn.jsdelivr.net/gh/fancyapps/fancybox@3.5.7/dist/jquery.fancybox.min.js"></script>


 
    <script src="https://cdn.jsdelivr.net/npm/smoothscroll-for-websites@1.4.9/SmoothScroll.min.js"></script>


<script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@9.15.8/build/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script>

<script src="/js/app.js?v=1576763231175"></script>
<script src="https://cdn.jsdelivr.net/npm/lazysizes@5.1.0/lazysizes.min.js"></script>


    <script type="text/javascript" src="https://cdn.jsdelivr.net/gh/xtaodada/xtaodada.github.io@0.0.2/copy.js"></script>



  





</body>

</html>
